主页 / 问题 / 1105950
Accepted
r.mcreal
Asked:2020-04-06 00:06:22 +0800 CST2020-04-06 00:06:22 +0800 CST

symfony 4 上的 API 身份验证

  • 772

我正在尝试在 symfony 上创建一个 REST API 服务(不使用 api 平台)。达到用户认证。我是否正确理解了算法?

1) Проходим обычную аутентификацию 
2) Создаем apiKey и записываем его в бд
3) Возвращаем клиенту этот apiKey
4) При каждом обращении клиента к серверу проверяем валидность apiKey

?

如果是,如何正确执行?使用什么服务等等。从第一步开始。建议使用最少的第三方服务,但只能使用 symfony 开发人员自己推荐的服务

php

1 个回答

  1. Best Answer

    1)安装安全组件composer require symfony/security-bundle

    2) 从用户界面扩展用户类

    UserEntity extends Symfony\Component\Security\Core\User\UserInterface UserInterface

    用户实体必须包含 apiToken 属性

    3)在文件中config/packages/security.yaml添加截止日期

        providers:
        user:
            entity:
                class: App\Entity\UserEntity
                property: email

    4)假设您有一个用户类的存储库

    5)创建一个authenticator,给构造函数添加一个repository

    
use App\Repository\UserRepository;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\User\UserProviderInterface;
use Symfony\Component\Security\Guard\AuthenticatorInterface;
use Symfony\Component\Security\Guard\Token\PostAuthenticationGuardToken;

class ApiTokenAuthenticator implements AuthenticatorInterface
{
    /**
     * @var UserRepository
     */
    private $userRepo;

    public function __construct(UserRepository $userRepo)
    {
        $this->userRepo = $userRepo;
    }

    public function start(Request $request, AuthenticationException $authException = null): Response
    {
        return new JsonResponse(['error' => 'Authentication Required'], Response::HTTP_FORBIDDEN);
    }

    public function supports(Request $request): bool
    {
        return $request->headers->has('TOKEN');
    }

    public function getCredentials(Request $request): ?string
    {
        return $request->headers->get('TOKEN');
    }

    public function getUser($token, UserProviderInterface $userProvider): ?UserInterface
    {
        return $this->userRepo->getByToken($token);
    }

    public function checkCredentials($credentials, UserInterface $user): bool
    {
        return true;
    }

    public function onAuthenticationFailure(Request $request, AuthenticationException $exception): Response
    {
        return new JsonResponse(['error' => $exception->getMessage()], Response::HTTP_FORBIDDEN);
    }

    public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey)
    {
        return null;
    }

    public function supportsRememberMe(): bool
    {
        return false;
    }

    public function createAuthenticatedToken(UserInterface $user, $providerKey)
    {
        return new PostAuthenticationGuardToken($user, $providerKey, $user->getRoles());
    }

    每种方法的工作我就不描述了,所有的描述都可以在界面中阅读

    6)然后转到config/packages/security.yaml并添加(更改)行

            main:
            anonymous: ~
            provider: user
            guard:
                authenticators:
                    - App\ApiTokenAuthenticator

    就在下面:

        access_control:
        - { path: ^/, methods: [OPTIONS], roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/user, methods: [GET, POST], roles: ROLE_USER }

    此外,所有/user使用 TOKEN 标头向您发出的请求,

    必须马上说authenticator在美感上需要改进,比如getUser方法中,最好马上抛出403错误。

    • 3

相关问题